DDoS Prevention Guide

My recommendation for VPN has changed as the latency provided by HideMyAss VPN's has deteriorated greatly the past few months.
I now recommend EarthVPN or blackVPN

Update (05.25.2013):

Skype has released a new version (6.5) that is still in beta. The reason that this is noteworthy is due to the fact that you can finally prevent users from retrieving your IP Address. You will first need to download the beta here and after you install go into "Tools" -> "Options" -> "Connections". As seen in the screenshot. Check the "Allow direct connections to your contacts only" which will prevent users who aren't in your contact list from making a direct connection to your PC, thus preventing them from obtaining your IP Address.

Who Am I?

I will start this guide by introducing myself and my credentials: My name is Matt “gamebox” Gunnin, President/CEO of Leaguepedia. I am a 27 year-old System Administrator for Rackspace Hosting. I have an Electrical Engineering Degree with a specialization in Wireless Engineering. Working for a web hosting company, I deal with malicious activity on a daily basis, some of which involves DDoS attacks on an Enterprise level. This can include hundreds of botnets sending millions of packets directed towards not one, but multiple endpoints. I am very confident in my abilities as a System Admin, and have a proven track record on both an infrastructure and networking standpoint. You can find more about me on my LinkedIn profile if you are in need of more background info.

When I put together our recent Leaguepedia Invitational I, we experienced the “DDoS bug” just like every other recent tournament, but I'll talk more about this later. Please understand this guide isn’t the end all be all of DDoS prevention; and for every person trying to prevent these attacks, there are ten more figuring out new ways to do the attacking. I do, however, feel that if you follow my advice, you will be 100 times less susceptible to denial of service and other attacks that could take down your internet connection and harm your computer.

What is a DDoS?

"A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person, or multiple people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely."

How easy is it to DDoS?

To see how easy it is to DDoS, I will walk you through each step of the process… Just kidding. But in all honesty, it takes about 10 minutes of googling to figure out how. Now, the thing is anyone can DoS someone which involves sending tens of thousands of tiny packets to a person's computer. The problem with a DoS attack is that it only comes from one location and can easily be blocked or may not be even be noticeable if the attacker doesn’t know much about what they are doing. On the other hand, a Distributed Denial of Service attack will come from multiple locations. This makes the attack harder to block due to the IP’s of the attacker/s being from multiple subnets. Most routers will allow you to block a subnet range but if that involves 100’s of subnets (botnet), then you will more than likely end up blocking a person/application/website/etc IP that was assigned to that subnet.

Most of the attacks that have been occurring around the League of Legends Professional scene are more than just a “script kiddie” sitting is his grandmother's basement. For instance, during the Leaguepedia Invitational Nhat Nguyen and Aphromoo were both DDoS’d during their match with Team Dynamic. I immediately had them both call me while the game was paused and once I was able to trace the source of both attacks, I quickly realized that Aphro’s DDoS attack was of a larger scale coming from multiple botnets, while Nhat’s was being directed from 2 singular locations. The fastest solution for both cases was an IP address change, since the attacks are pointed at a specific IP address and not a specific physical location. But can’t the attacker just find your IP address again? Well yes, so I will cover this in more detail later and how to keep that from occurring.

First things first

What I am going to start with is how to stop a DDoS attack if you believe you are being hit by one. Now let me make one thing clear, if you are having lag, internet is running slow periodically, or you are disconnecting from a match everyone once in a while and then being able to reconnect, the odds are that you aren’t being DDoS’d. DDoS attacks do start slow with latency issues and then they gradually get worse to a point where you are unable to access the internet whatsoever. You will begin to connect and reconnect to skype until you are unable to connect any longer. Remember that what you are being hit with is a large number of “internet packets” one at a time at a very fast pace. Just imagine jellybeans being thrown at you one at a time, it starts with 1 jellybean being thrown over and over, and then 2, and then 3, and so on and so on until you either have to eat all the jellybeans or you explode.

First and foremost we want to find out what our IP address is. The easiest way to do this is to go to www.whatismyip.us and write this number down.
This will display your external IP address since if you attempted to pull up your IP address directly from the command prompt you would be going through your router, as seen below.

Determining if you are being DDoS’d or not.

If you begin experiencing a DDoS attack (say during a big name tournament like the Leaguepedia.com Invitational) then the first thing you should do is make sure you are actually being DDoS’d or not. We have a few options to go about doing so and I highly recommend doing each.

First, we open a command prompt:

Next we will attempt to ping the outside world. We will use Reddit.com as our example.

Note: You can add the ‘-n’ option to specify how many ping request you would like to make. The default is 4. You can instead use ‘-t’ which will ping the destination until you stop it by pressing “Ctrl + c”.

The main two things we are most concerned with here is the number next to ‘time =’ as well as the percentage of packets loss which is displayed below ‘Ping statistics’. The time column is the amount of time it takes for a packet that is 32 bytes in size to travel from your computer to Reddit’s servers and then back to your computer. This is also known around the League of Legends community as your latency and is a number I’m sure most of you are pretty familiar with. In the beginning stages of a DoS attack this number will increase periodically (40ms to 800ms) and will eventually respond with “Request timed out”. So if you believe you are being DDoS’d, the first thing to do is open a command prompt and ping a reliable website that you know is online (Reddit, Google, etc). Remember that most amateur DDoS attacks take time to build up steam so you can usually catch the less sophisticated attacks before they take you completely offline. Just because you start lagging in-game or your internet goes offline momentarily doesn’t necessarily indicate you are being targeted.

NETSTAT

Netstat is the best tool you will more than likely have at your disposal that you can also run from the command line and will most likely give you a much clearer picture as to what is going on. Once you are at the command line as demonstrated above, type netstat -ano which will display all your current TCP/IP connections. You are looking for a large bulk of connections coming from the same IP address. You will also want to look at the STATE that each connection is in. If you see a bunch of SYN_RECEIVED, which means the connection has sent a request and is staying open waiting for an acknowledgement.

Who is targeting me and what can I do about it?

Most attacks that have occurred recently were done via botnets that are spaced out amongst hundreds if not thousands of IP addresses. This is where the “Distributed” part of DDoS comes in to play. However, if you are instead being hit by some teenager that just found a new tool from the internet that he believes makes him a ‘l33t h4x0r’ so to show off his new skills he finds out your IP address, plugs it into the program and clicks the start button, he is instead performing a ‘DoS’ attack. If you are so lucky (or unlucky) that this is the case, he more than likely hasn’t spoofed or blocked his IP. To find out where the DoS attack is coming from, you can run the program ‘TCPView’ (which I included in the download packet). What TCPView does is display all the current connections (endpoints) on your computer. It will be very clear where the attack is coming from once you open the program but to give you a hint, it will be the connection that is shown 100’s of times. From there you can do what you please since you now have his IP address. If you want to go the legal route then you can plug his IP into ‘www.whois.sc’ and find out who his ISP is and give they will usually be pretty helpful once you tell them the situation.

DDoS Solution – Short Term

Problem

So you are positive that you are being hit by a Distributed DoS attack and you are completely disconnected from the internet. You can’t ping any websites, all your applications are offline, and all of this is happening while you are 35 minutes into game 3 of the Leaguepedia Invitational 2 Finals. Your team has activated the pause feature for the match but you don’t have long so you need to act quickly. What do?

Pre-Solution

What is the most important ingredient that an attacker needs so they can perform a Distributed Denial of Service on someone? An Internet Protocol Address – Whenever you log into your PC and connect to the internet, you are sending a request to your Internet Service Provider (ISP) asking for them to open a connection via their pipeline to the web. Once your ISP accepts the request, it then assigns you with an IP Address that will now be your identifier whenever you “sign online”. IP Addresses are assigned to ISP’s via subnet blocks. To simplify it, your ISP is essentially given large handful of numbers that can be assigned to their customers with each one being unique. I won’t go into any further detail but the point I want to make clear is that every internet connection (no matter where) has an “address” that it is assigned and is how devices communicate with one another so if you want to stop communication from occurring, you can’t just block the attack because it is coming from hundreds of separate locations. So the best short term solution is to change your IP Address since the DDoS attacks are directed at your IP and nothing else.

Solution

Please understand that some of these steps (3 & 4) are outdated and will more than likely not work.They are included however as a precursor for some of the sections later on in the guide.
I am going to list the different ways to possibly change your IP. Start from the top and work your way down if the previous solution didn’t work.

Note: There are two different ways that your ISP can provide you an IP, Dynamically and Statically. Dynamic IP addressing involves your ISP assigning you a different IP each time you log on the ISP’s network. This doesn’t necessarily mean your ISP will change your IP each and every time your restart your computer as it is solely dependent on when they deem it necessary. A dynamic IP address will be shared with other customers and will jump around as to who receives what IP. A Static IP is exactly what it sound like, static and never changing. Static IP addressing is much less secure since you are provided an IP that never changes. ISP’s now a day only provide static IP’s to their customer due to it being cost effective compared to dynamic addressing. I highly suggest calling your ISP and finding our 1) What type of addressing you have and 2) If you are Static, is there any possibility to be changed to dynamic?

Unplug your cable/dsl modem as well as your router (for good measure) and wait 60-120 seconds. Plus back in and check www.whatismyip.com to see if you were assigned a new IP.

Some ISP’s put a TTL (Time to Live) on your IP for 8 to 24 hours so if you are under no time constraint then this can be attempted.

Call your ISP and tell them that you are being DDoS’d and that you need a new IP. Depending on who you get on the phone, as well as your ISP will determine if they will or not. I haven’t heard of many people having issues however.

Open a command prompt (Start -> run -> ‘cmd’) Release (This will disconnect you from the internet)

Renew

Open a command prompt

You are looking for the default gateway:

Type your default gateway into your internet browser to bring up your routers admin page. You will need to google the type of router you have for the username/password. Some common ones are “root/password”, “admin/password”, “password/password”, “admin/admin”. Once you get in you can attempt to Release/Renew you IP here. Here is a screenshot of my router’s configuration page.

If the above doesn’t work then your next step is attempting to clone your mac address. This can be done here and is as simple as pressing the "Clone My PC's MAC Address" button. You can only clone your mac address once but it should change your IP. This page will look like the following:

Note: The MAC Address boxes will have letters and numbers. I blurred them out for security reasons.

MAC Address Change (Solution 1)

Go into your Control Panel and pull up Network Connections

Right click your Network Adapter > Properties > Configure

Next you will want to click on the 'Advanced' tab and scroll down to 'Network Address'. The MAC address consists of 6 pairs of numbers (0 - 9) and characters (A - F) in combination. For example 22-19-A2-C5-3D-65. Remember however that when entering this value in the 'Network Address' field that you want to omit the dash (-), for example 8817E890E20A.

MAC Address Change (Solution 2)

If you still are unable to get a new IP address then you can try going into your registry settings and changing the MAC address of your Network Interface Card (NIC).

You will first want to find out what type of NIC you have. So go to ‘Control Panel’ -> ‘Network and Internet’ -> ‘Network Connections’ and find the connection that is enabled and connected and right click it and select ‘properties’. You will then see the following which will tell you what type of NIC you are using.

As you can see here, I am using an ‘Intel(R) 82579V Gigabit Adapter’.

Next you want to go your registry editor

Start -> Run -> regedit

From inside the registry editor you will navigate to:

Under this key, you should see numbers in sequence as “0000″, “0001″ and so on. Click on one at a time to check the description of the device to match it with that of your Network Card. I found my NIC all the way down at ‘0022’.

Once found, in the right-pane, look for “NetworkAddress” key value. If you find it, right-click and select modify. Enter the desired MAC-Address as a 12 digit number (all in one, no “space” “.” or “-”). Note that you can enter any arbitrary MAC-address as long as it is hexadecimal (a 12 digit string containing numbers 0-9 and letters A-F).

If you don’t find the key, right-click in the right pane, select “New” – “String Value”. Enter the name as “NetworkAddress”. Now modify and set the desired value.

Now, disable and enable the Network card from the ControlPanel – Network Connections.

This should reflect the new MAC-Address on your NIC. Should you choose to go back to the original manufacturer set MAC-Address simply delete the key you just created/modified in the Windows Registry.

After changing the MAC through the registry, start back at the first step and reattempt restarting the modem, etc.

DDoS Prevention Setup

This part of the guide will entail the actual prevention aspect and what to do to keep a DDoS attack from occurring. I am not going to try and explain the technical aspect of the VPN I am suggesting at this moment since I am trying to get this guide out as soon as possible. You will just need to trust me when I say that this VPN is your best option and provides the best of everything.

VPN

From what I have read in terms of reviews and ratings, HideMyAss is far and beyondthe best VPN on the market. However, at the time of writing this guide I haven't tried their service and the only way to really know if this VPN would be suitable for LoL’s professional scene was to buy the product myself.

Dashboard

Server Selection

They have a huge list of available servers that are categorized according to geographical distance from you.

My first attempt at connecting to a server prompted me with this:

This is a pretty big deal since they classify their servers as being overloaded at 30%

Once I made a successful VPN connection, here is the new dashboard that is displayed. Some important things to note is how you are able to make quick location changes, IP changes, as well as schedule for an IP change.

So far, so good. The next thing I wanted to check out was how my latency was in-game.

Not Connected to VPN

Connected to VPN

There was absolutely no change with my ping. I tested with other servers and on a few of them I had some jumping around between 70ms – 100ms but for most servers it would stay pretty steady. This was also done while I had two streams running.

The first thing you notice is the decrease in download speed. I have 50/5 here through time warner but if you were on a 10/5 plan through your ISP then you wouldn’t see much, if any noticeable differences. They guarantee certain speeds through their servers which is a higher speed that what most of you have at home. The ping is slightly higher but nothing of much concern either and varies according to server location.

My Thoughts on Using a VPN

My honest opinion is that if you are serious about completely protecting yourself from being DDoS’d ever again and don’t want to be forced into forfeiting a match during a $5k+ event, then purchasing a VPN is the way to go. It will easily pay for itself after one tournament. And recently, there are a good bit of the pros that haven’t been able to play a full tournament all the way through without being targeted. What’s good about HideMyAss is that you are able to make quick and fast connections to and from the VPN. So what I would do is setup the VPN and then get a new IP address via your ISP through the methods I mentioned earlier in this guide. This way if you are hesitate of using the VPN due to any performance problems there may be, you could turn it off while in-game and since you are proxied through Skype, you would be good to go.

Their FAQ will answer most of your questions and you can sign-up for an account here. -- I just created this affiliate account a few minutes ago as I figured that the League of Legends community should get something in return if we send them a handful of new accounts. So if you do decide to use hidemyass, please go through the affiliate links. I will post updates of the figures for the entire community to see and then at a certain point I will use those funds to do some sort of giveaway, tournament, you name it.

Skype Proxy (Best Solution - Combination of 2 & 3)

This should list the fastest proxies for the US. Obviously, substitute the country for another if you are not residing in the US ( Or if you wish to use a proxy in another country for whatever reason )

Step 2: Pick a server, generally you want to go with the one at the top since it's the fastest -- Step 2 Screenshot

The top three should give you a good fallback if the very top one becomes overloadedNote: Skype does not typically USE the proxy you set unless it's blocked from a direct connection however you can FORCE it to use the proxy via registry settings. That's what we're about to do.

This configurator will generate a registry file for you to merge into your windows registry.It's entirely safe, and in the event that you wish to remove your proxy ( You can't remove it through Skype itself ) , it also provides a key that will automagically remove your proxy settings.

Which equates to the first "empty string = unset", skype will attempt a direct connection, and if it fails it will use the proxy set in the Advanced Connection settings to connect.:If you know what you're doing, you can set it to Automatic so skype will use the system's proxy settings ( Internet Explorer's proxy settings ) , but for this guide we're going to be forcing it to use an HTTPS Proxy.

Obviously, substitute HTTPS for SOCKS5 if you are lucky enough to get a GOOD SOCKS5 Proxy

As seen in the previous image, Skype will still try to direct connect over UDP even while proxying TCP over HTTPS. This is a HUGE problem since it effectively renders your proxy useless. However, we can fix that by forcing Skype to disable it's usage of UDP. This will impact voice and video quality a bit, but overall it's not a huge problem and being safe is more important.I'd also like to re-iterate that SOCKS5 Proxies do not have this problem, they support both TCP and UDP through the proxy. If you can find a good one, you're very lucky or you're paying for it.

Select the Country that you reside, pick any “SOCK5” IP Address from the list and enter it as the host.Note: What you are doing is running Skype via a proxy. As long as you pick an IP that is in the same country as you reside then you shouldn’t see much, if any degradation in call quality. If you do, just select a new IP until you find the best setup.

Skype Proxy (Solution 3)

Open notepad and paste the following (substituting the proxy information with your proxy server)

Save the file as a .reg (Example: skype.reg) and then double click on it and confirm.

Thank you to MarkyOchoa from Reddit for this setup.

Closing

I'm still working on improving this guide but just haven't had the time. I have some videos that will go into more detail on what exactly a botnet is, how they are started, and why they were created in the first place. League of Legends is in a very delicate state professionally right now and all of you pro's out there need to put all of your efforts towards growing the e-sports scene worldwide, but instead you have all had to deal with the recent DDoS attacks. I plan on removing that burden from each and every team associated with the professional scene of League of Legends and would more than happy to sit down with each of you and get you to where you need to be from a technical point of view so you are no longer hindered to pursue what's most important. If you would like to talk, please feel free to email me or follow me or Leaguepedia on Twitter.

Tools

Content is available under CC BY-SA 3.0 unless otherwise noted.Game content and materials are trademarks and copyrights of their respective publisher and its licensors. All rights reserved.
This site is a part of Curse, Inc. and is not affiliated with the game publisher.